The work the CST is doing is critical and I appreciate their hard work. However, I am wondering if others have been able to successfully apply the cumulative source patch for CE GA1?

I have attempted to use both 'patch' and 'git apply' as outlined at http://www.liferay.com/community/security-team/cst-process#patchinfo but without success. I am getting the following output when using 'patch' against a new download of the GA1 source:

Ok I updated the docs on the CST page. You can use patch -p1 --binary < patchfile as a workaround (I tested this on Windows and Ubuntu). Mac doesn't seem to need it. If you find other oddities, let us know!

Are the patch files made with the --binary options because some files in liferay source are in LF while others are in CR+LF. It really gets more complicated if a user made some changes (example: opening a CR+LF file in Ubuntu and saved the file without making any textual changes may save the file in LF.)

Another question is, are you testing these patches with the liferay 6.1.0 CE source file download?

I just tested the patches and everything seems to work except for the following 2 patches. I think the problem is patches are each created from the unchanged master source instead of the patches source. That is, if the file is patched by multiple LPS's, the row number in the patch is only going to be correct in the first patch.LPS-26940 and LSP-28934

I've use the Liferay 6.1.0 GA1 source code available from the download site (not the github nor svn).patch -p1 --dry-run < *.patch

Some of the line number are matching so they need to be adjusted to make the command work. I've applied the patches in the order listed in the security page:LPS-27726LPS-26935LPS-26940LPS-28309LPS-28358LPS-26930LPS-28423LPS-28836LPS-28934

I just tested the patches and everything seems to work except for the following 2 patches. I think the problem is patches are each created from the unchanged master source instead of the patches source. That is, if the file is patched by multiple LPS's, the row number in the patch is only going to be correct in the first patch.LPS-26940 and LSP-28934

I've use the Liferay 6.1.0 GA1 source code available from the download site (not the github nor svn).patch -p1 --dry-run < *.patch

Some of the line number are matching so they need to be adjusted to make the command work. I've applied the patches in the order listed in the security page:LPS-27726LPS-26935LPS-26940LPS-28309LPS-28358LPS-26930LPS-28423LPS-28836LPS-28934

EDIT: seems like the patch is deleting some necessary rows.

yeah that's probably the case. If you want all the patches, then best go with the cumulative source patch. We don't test all of the possible combinations of individual patches. We do a best effort test of the cumulative patch. I'll add this to the CST information page.

Ok I updated the docs on the CST page. You can use patch -p1 --binary < patchfile as a workaround (I tested this on Windows and Ubuntu). Mac doesn't seem to need it. If you find other oddities, let us know!

BTW, I was wrong: --binary does absolutely nothing to help here on Linux I was testing using the Github source bundle, which has no issues. It is the SourceForge source bundle that is the problem. That is the one where the line endings on the source files themselves need to be converted before the patch will apply. I've updated the CST docs! And we are checking to see what can be done about SourceForge.

Thank you for the updated instructions within the CST process page. We do all our work within Linux and I had not been bitten by the Windows CR issue in a number of years (dos2unix is your friend). With GA2 now released we are using it, but it is only a matter of time before another security issue is identified and fixed.